Analysis Date2016-01-08 06:59:55
MD57a853fc77c39729b6c9fbe903f3869b8
SHA15b323e127a8b6c86988cb71ebe8a03f04ee63466

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f1e2ce874183948cb286b9fd5b061d41 sha1: 540e86544c6208a85074dbb85c5793136189c61f size: 40448
Section.rdata md5: 1f393c08002315e4578ff192d0f0b290 sha1: 782a0e750af6f45aadcc66707a110b556173b881 size: 11264
Section.data md5: 746c35c2d4486491e4516baffdd87c7b sha1: 7052ed34671303af8e54bbd14f8fd9e630aa6124 size: 45568
Section.reloc md5: cbfa3376cc71f744f394e80e01ed2b39 sha1: 9b5279a0fd8218d6244d2993eb55211c817a9199 size: 4608
Timestamp2015-12-31 11:08:13
PackerMicrosoft Visual C++ ?.?
PEhashe13da2c17415c91cd9d79d94f0562c15afcc2ec5
IMPhashb902dd238c5e71374dec2baa72997cd3
AVFortinetW32/Yakes.EJRB!tr
AVMicroWorld (escan)Gen:Variant.Zusy.174788
AVF-SecureGen:Variant.Zusy.174788
AVMalwareBytesBackdoor.Andromeda
AVMcafeeRDN/Generic.grp
AVEmsisoftGen:Variant.Zusy.174788
AVTrend MicroNo Virus
AVDr. WebTrojan.MulDrop6.18634
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVAuthentiumW32/Trojan.GXWB-8761
AVGrisoft (avg)Crypt5.XTV
AVTwisterNo Virus
AVBullGuardGen:Variant.Zusy.174788
AVZillya!No Virus
AVIkarusTrojan.Win32.Crypt
AVKasperskyTrojan.Win32.Yakes.okhq
AVVirusBlokAda (vba32)No Virus
AVClamAVNo Virus
AVEset (nod32)Win32/Kryptik.EJRB
AVAlwil (avast)Dorder-Q [Trj]
AVCA (E-Trust Ino)No Virus
AVBitDefenderGen:Variant.Zusy.174788
AVFrisk (f-prot)No Virus
AVSymantecNo Virus
AVK7Trojan ( 004dab2f1 )
AVAd-AwareGen:Variant.Zusy.174788
AVAvira (antivir)TR/Crypt.Xpack.359397
AVArcabit (arcavir)Gen:Variant.Zusy.174788
AVCAT (quickheal)No Virus
AVRisingNo Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
C:\Documents and Settings\All Users\msvgqh.exe\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates FileC:\Documents and Settings\All Users\114390
Creates File\Device\Afd\Endpoint
Deletes FileC:\5B323E~1.EXE
Winsock DNSpool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSmicrosoft.com
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSringplanet.eu
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
81.27.192.20
DNSeurope.pool.ntp.org
Type: A
85.214.255.221
DNSeurope.pool.ntp.org
Type: A
93.180.6.3
DNSeurope.pool.ntp.org
Type: A
62.76.96.4
DNSnorth-america.pool.ntp.org
Type: A
159.203.31.244
DNSnorth-america.pool.ntp.org
Type: A
206.108.0.131
DNSnorth-america.pool.ntp.org
Type: A
96.126.105.86
DNSnorth-america.pool.ntp.org
Type: A
129.6.15.28
DNSsouth-america.pool.ntp.org
Type: A
200.192.232.8
DNSsouth-america.pool.ntp.org
Type: A
54.232.82.232
DNSsouth-america.pool.ntp.org
Type: A
186.71.75.78
DNSsouth-america.pool.ntp.org
Type: A
190.181.129.115
DNSasia.pool.ntp.org
Type: A
59.106.180.168
DNSasia.pool.ntp.org
Type: A
77.235.14.49
DNSasia.pool.ntp.org
Type: A
129.250.35.251
DNSasia.pool.ntp.org
Type: A
36.55.235.15
DNSoceania.pool.ntp.org
Type: A
203.97.218.196
DNSoceania.pool.ntp.org
Type: A
54.252.165.245
DNSoceania.pool.ntp.org
Type: A
103.242.68.69
DNSoceania.pool.ntp.org
Type: A
130.102.2.123
DNSafrica.pool.ntp.org
Type: A
41.231.53.4
DNSafrica.pool.ntp.org
Type: A
146.231.129.81
DNSafrica.pool.ntp.org
Type: A
168.167.71.131
DNSafrica.pool.ntp.org
Type: A
196.192.32.7
DNSpool.ntp.org
Type: A
198.55.111.5
DNSpool.ntp.org
Type: A
206.210.192.32
DNSpool.ntp.org
Type: A
107.170.224.8
DNSpool.ntp.org
Type: A
129.6.15.28
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
104.40.211.35
DNSringplanet.eu
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 104.43.195.251:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53

Raw Pcap

Strings